CHAPTER X Cryptography from Pairings by K.G. Paterson X.1. Introduction This chapter presents a survey of positive applications of pairings in cryp- tography. We assume the reader has a basic understanding of concepts from cryptography such as public key encryption, digital signatures, and key ex- change protocols. A solid grounding in the general area of cryptography can be obtained by reading [218]. We will attempt to show how pairings (as described in Chapter IX) have been used to construct a wide range of cryptographic schemes, protocols and infrastructures supporting the use of public key cryptography. Recent years have seen an explosion of interest in this topic, inspired mostly by three key contributions: Sakai, Ohgishi and Kasahara’s early and much overlooked work introducing pairing-based key agreement and signature schemes [260]; Joux’s three party key agreement protocol as presented in [167]; and Boneh and Franklin’s identity-based encryption (IBE) scheme built from pairings [36]. The work of Verheul [305] has also been influential because it eases the cryptographic application of pairings. We will give detailed descriptions of these works as the chapter unfolds. To comprehend the rate of increase of research in this area, note that the bibliography of an earlier survey [250] written in mid-2002 contains 28 items, while, at the time of writing in early 2004, Barreto’s website [14] lists over 100 research papers.1 Thus a survey such as this cannot hope to comprehensively cover all of the pairing-based cryptographic research that has been produced. Instead, we focus on presenting the small number of schemes that we consider to be the high points in the area and which are likely to have a significant impact on future research. We provide brief notes on most of the remaining literature, and omit some work entirely. We do not emphasise the technical details of security proofs, but we do choose to focus on schemes that are supported by such proofs. 1A second source for papers on cryptography from pairings is the IACR preprint server at http://eprint.iacr.org. Another survey on pairings and cryptography by Joux [168] covers roughly the same topics as this and the previous chapter. 205 206 X. CRYPTOGRAPHY FROM PAIRINGS X.1.1. Chapter Plan. In the next two sections, we introduce the work of Sakai et al. [260], Joux [167] and Boneh and Franklin [36]. Then in Section X.4, we consider various types of signature schemes derived from pairings. Section X.5 is concerned with further developments of the IBE scheme of [36] in the areas of hierarchical identity-based cryptography, intrusion-resilient cryptography and related topics. Section X.6 considers how the key agree- ment protocols of [260, 167] have been extended. In the penultimate section, Section X.7, we look more closely at identity-based cryptography and exam- ine the impact that pairings have had on infrastructures supporting the use of public key cryptography. We also look at a variety of trials and imple- mentations of pairing-based cryptography. We draw to a close with a look towards the future in Section X.8. X.1.2. Pairings as Black Boxes. In this chapter, we will largely treat pairings as “black boxes”, by which we mean that we will not be particularly interested in how the pairings can be selected, computed and so on. Rather we will treat them as abstract mappings on groups. Naturally, Chapter IX is the place to look for the details on these issues. The reason to do this is so that we can concentrate on the general cryptographic principles behind the schemes and systems we study, without being distracted by the implementa- tion details. It does occasionally help to look more closely at the pairings, however. For one thing, the availability of easily computable pairings over suitably “compact” groups and curves is key to the utility of some of the pairing-based proposals that we study. And of course, the real-world secu- rity of any proposal will depend critically on the actual curves and pairings selected to implement that proposal. It would be inappropriate in a chapter on applications in cryptography to completely ignore these issues of efficiency and security. So we will “open the box” whenever necessary. Let us do so now, in order to re-iterate some notation from the previous chapter and to establish some of the basics for this chapter. We recall the basic properties of a pairing e : G1 × G2 → G3 from Section IX.1. In brief, e is a bilinear and non-degenerate map and will be derived from a Tate or Weil pairing on an elliptic curve E(Fq). In cryptographic applications of pairings, it is usually more convenient to work with a single subgroup G1 of E(Fq) having prime order r and generator P as input to the pairing, instead of two groups G1 and G2. For this reason, many of the schemes and systems we study were originally proposed in the context of a “self-pairing” as described in Section IX.7. To ensure that the cryptographic schemes are not completely trivial, it is then important that e(P,P ) =6 1. The distortion maps of Verheul [305] are particularly helpful in ensuring that these conditions can be met for supersingular curves. As in Section IX.7.3, we assume that E(Fq) is a supersingular elliptic curve with r|#E(Fq) for some prime r. We write k > 1 for the embedding degree F 2 for E and r, and assume that E( qk ) has no points of order r . As usual, X.1. INTRODUCTION 207 (qk−1)/r F F F we write e(Q, R) = hQ, Rir ∈ qk for Q ∈ E( q)[r] and R ∈ E( qk ). We then let ϕ denote a non-rational endomorphism of E (a distortion map). Suitable maps ϕ are defined in Table IX.1. We put G1 = hP i where P is any F F∗ F∗ r non-zero point in E( q)[r] and G3 = qk /( qk ) . We then writee ˆ for the map from G1 × G1 to G3 defined by: eˆ(Q, R)= e(Q, ϕ(R)). The functione ˆ is called a modified pairing. As a consequence of its derivation from the pairing e and distortion map ϕ, it has the following properties: ′ ′ Bilinearity: For all Q, Q ,R,R ∈ G1, we have eˆ(Q + Q′, R)=ˆe(Q, R) · eˆ(Q′, R) and ′ ′ eˆ(Q, R + R )=ˆe(Q, R) · eˆ(Q, R ). Symmetry: For all Q, R ∈ G1, we have eˆ(Q, R)=ˆe(R, Q). Non-degeneracy: We have eˆ(P,P ) =16 . Hence we have:e ˆ(Q, P ) =6 1 for all Q ∈ G1, Q =6 O ande ˆ(P, R) =6 1 for all R ∈ G1, R =6 O. Although our notation inherited from the previous chapter suggests that the mape ˆ must be derived from the Tate pairing, this need not be the case. The Weil pairing can also be used. However, as Chapter IX spells out, the Tate pairing is usually a better choice from an implementation perspective. Relying on distortion maps in this way limits us to using supersingular curves. There may be good implementation or security reasons for working with curves other than these, again as Chapter IX makes clear. (In partic- ular, special purpose algorithms [2, 3, 82, 169] can be applied to solve the F discrete logarithm problem in qk when E is one of the supersingular curves over a field of characteristic 2 or 3 in Table IX.1. This may mean that larger parameters than at first appears must be chosen to obtain required security levels.) Most of the cryptographic schemes that were originally defined in the self-pairing setting can be adapted to operate with ordinary curves and unmodified pairings, at the cost of some minor inconvenience (and sometimes a loss of bandwidth efficiency). We will encounter situations where ordinary curves are in fact to be preferred. Moreover, we will present some schemes us- ing the language of self-pairings that were originally defined using unmodified pairings. We will note in the text where this is the case. We can summarise the above digression into some of the technicalities of pairings as follows. By carefully selecting an elliptic curve E(Fq), we can obtain a symmetric, bilinear mape ˆ : G1 × G1 → G3 with the property thate ˆ(P,P ) =6 1. Here, P of prime order r on E(Fq) generates G1 and 208 X. CRYPTOGRAPHY FROM PAIRINGS F G3 is a subgroup of qk for some small k. When parameters hG1,G3, eˆi are appropriately selected, we also have the following properties: Efficiency: The computation ofe ˆ can be made relatively efficient (equiv- alent perhaps to a few point multiplications on E(Fq)). Elements of G1 and G3 have relatively compact descriptions as bit-strings, and arith- metic in these groups can be efficiently implemented. Security: The bilinear-Diffie–Hellman problem and the decision-bilinear- Diffie–Hellman problem are both computationally hard.2 X.2. Key Distribution Schemes In this section, we review the work of Sakai et al. [260] and Joux [167] on key distribution schemes built from pairings. These papers paved the way for Boneh and Franklin’s identity-based encryption scheme, the subject of Section X.3. Note that both papers considered only unmodified pairings. We have translated their schemes into the self-pairing setting in our presentation. X.2.1. Identity-Based Non-Interactive Key Distribution. Key distri- bution is one of the most basic problems in cryptography.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages65 Page
-
File Size-